Konstantin Kliakhandler writes: > For what it is worth, the current discussion is actually precisely what I > was aiming at. I agree with your analysis of my Intended goals but > completely disagree that SHA1 alone is any sort of guarantee.. To be > precise, I don't just think that it doesn't provide much, but rather that > alone it provides none at all. This is because I have no idea who produced > a given SHA1 - whether it was Bastien, or a MITM attacker, or just someone > who compromised the server.
Getting the same data via https doesn't give you that sort of guarantee either, it only ensures that the data cannot be read and altered in transport. If the server or repo gets compromised, then it is game over until someone notices that the server suddenly doesn't match up the local clone. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs
